|Publication number||US7665138 B2|
|Application number||US 11/166,691|
|Publication date||Feb 16, 2010|
|Priority date||Dec 27, 2004|
|Also published as||US20060143707|
|Publication number||11166691, 166691, US 7665138 B2, US 7665138B2, US-B2-7665138, US7665138 B2, US7665138B2|
|Inventors||Chen-Hwa Song, Ying-Yuan Huang|
|Original Assignee||Industrial Technology Research Institute|
|Export Citation||BiBTeX, EndNote, RefMan|
|Patent Citations (24), Non-Patent Citations (3), Referenced by (6), Classifications (7), Legal Events (7)|
|External Links: USPTO, USPTO Assignment, Espacenet|
The present invention generally relates to network security, and more specifically to a detecting method and architecture thereof for malicious codes by using a system call analysis mechanism.
As the information technology progresses rapidly and the Internet becomes ubiquitous, the daily life pattern of the society changes. Although the information technology has brought much convenience, the related security problem has also arisen to an alarming level. The recent attacks on the network security vulnerability have caused much to the society. The network security is one of the most prominent issues in modern society.
Although most organizations and institutes have Internet firewall in place, the firewall installation itself is insufficient to assure the network security. When the web pages are replaced or any internal host is implanted with a backdoor program, the firewall can be bypassed and the security is compromised. In the development of network security, the multi-layer security defense mechanism includes a second layer defense mechanism, namely, intrusion detection system (IDS), which is gaining popularity.
However, the detection function of the conventional IDS is based on the intrusion rule and signature information, instead of the behavior. Therefore, the detection of intrusion is limited to the pre-defined system events. The major drawback of this type of detection mechanism is that the malicious codes, which refer to machine codes entering software system to execute unauthorized operations, may come as an unforeseeable combination.
Because the malicious code is written by the intruder, the intruder can modify or write different code to suit the purpose of the attack; therefore, the attack can have a different signature so that a pre-defined signature analysis may mistake and miss the attack. In addition, the ubiquity of Internet has caused the widespread of the malicious codes, this further exposes the drawbacks of the pre-defined signature analysis approach.
The conventional IDS relies on the specific and known data, known as signature, to identify if an attack has occurred. As the technique and the types of attack are increasingly evolving, the conventional signature database faces the problem of size explosion, and is yet insufficient to contain the necessary information.
It is therefore necessary to provide a detection method and apparatus to satisfy the following two conditions: first, the detection does not rely on signatures to get rid of the signature database, and second, the detection method must have a high correct rate.
The present invention has been made to overcome the aforementioned drawback of conventional detection methods that use rule/signature. The primary object of the present invention is to provide a detection method of malicious codes, applicable to a computer system. The computer system includes one or more hosts, each host executes at least an application program, and each application program includes one or more processes. The detection method comprises the steps of: (a) intercepting all the system calls and related arguments from all the processes by a pre-installed system call monitor module on each host; (b) extracting pre-defined system calls from all the intercepted system calls by malicious code analysis module; (c) determining whether the intercepted pre-defined system calls, arguments, and input dataflow being suspicious of including malicious code; if not, returning to step (a); (d) executing suspicious malicious code and generating the behavior prediction of the suspicious malicious code; (e) comparing the predicted behavior with the actual behavior of the execution of the suspicious malicious code; if different, returning to step (a); and (f) issuing a warning of intrusion.
Another object of the present invention is to provide an architecture of the detection method, including at least a system call monitor module and a malicious code analysis module.
The system call monitor module is pre-installed on each host to intercept and output all the system calls and related arguments from one or more processes. The malicious code analysis module receives all the system calls and related arguments from the system call monitor module, and determines whether a warning should be issued after analysis and comparison.
The present invention does not rely on the signature, and instead, uses a system call interposition technology, which is an operation system kernel mode program to intercept, modify or interrupt all the system calls from the processes. Based on the received input data and behavior during the processes, the system call interposition technology determines whether an attack is detected; therefore, does not rely on the signature commonly used in conventional technology. The present invention can detect both known and unknown attack techniques, and has a high correct rate and low incorrect ruling without the rule comparison. The present invention is applicable to heap/stack overflow, format string attack, integer overflow, and other attacks.
The foregoing and other objects, features, aspects and advantages of the present invention will become better understood from a careful reading of a detailed description provided herein below with appropriate reference to the accompanying drawings.
An application program is attacked as a result of accepting the data from a malicious code. In other words, a part of the input data to the application program is from the malicious code so that the application program behaves abnormally. Although an application program has many types of data input channels, they are not complicated from the system point of view. The following lists the data input channels that may be under at attack:
I. When intruder and the victim processes are not on the same host:
The victim process relies on the network to read data. The most commonly used channels are the receiving system calls (such as recv( )) or reading system calls (such as read( )) of the socket interface.
II. When the intruder and victim processes are on the same host:
The possible data input channels for the victim process include command line arguments, environment variables, file access, pipe and inter-process communication. The command line arguments and environment variables are passed through the execution of system calls, such as execve( ), while file access and pipe passes data through read system calls. The inter-process communication is seldom exploited by the malicious code, and therefore is not considered in the present invention.
Accordingly, it can be seen that an application program mainly uses the following channels for data input: receiving, reading and executing system calls. These channels include normal data flow, and possibly the malicious code data. Therefore, it is only necessary to monitor the data flow of these system calls, instead of all the system calls.
The present invention is applicable to a computer system, including one or more hosts, each host executing at least an application program, and each application program having one or more processes. The detection method of malicious code comprises the following steps. In step 21, a system call monitor module 32 is pre-installed on each host and intercepts all the system calls and related argument from one or more processes. System call monitor module 32 is configured to monitor application program 31 and processes 311-31N in the operation system. As shown in
In step 22, malicious code analysis module 35 extracts a plurality of pre-defined system calls from the intercepted system calls. Malicious code analysis module 35 (described in more details in
Step 23 is to determine whether a suspicious malicious code is included in the input data flow of the pre-defined system calls and related arguments. If so, proceed to step 24; otherwise, return to step 21.
The malicious code uses the system call to accomplish its intended behavior. For example, a malicious code can use an executing system call to execute a file or upgrade the authority of the process, such as setuid( ). In an operation system, the system call is executed through the software interrupt INT, and the system call ID is passed through a register and the first argument is passed through another register.
For example, in Intel x86 series, the opcode of software interrupt INT is \xcd\x80. Therefore, when the data flow of the pre-defined receiving, reading and executing system calls includes the \xcd\x80, it implies that there may be a malicious code and further identification is required. The identification is performed by observing whether the registers, such as EAX, are accessed. Because the registers must be set before the system calls for the operation system kernel to know the identification of the system calls, the access to the register, such as EAX, is an indication of a suspicious malicious code. The most common access to the register is “move eax”, whose opcode is \xb0, followed by a 32-bit value. For example, the call to upgrade the authority system call, such as setuid( ), is:
Instruction Opcode (hexadecimal) mov 17 h, EAX b017 . . . . . . int 80 h cd80
The system calls found in the data flow are the system calls made by the suspicious malicious codes. Step 24 is to execute the suspicious malicious code and generate the predicted behavior of the suspicious malicious code.
According to the present invention, malicious code analysis module 35 maintains malicious code predicted behavior table 41 for each process. As shown in
Step 25 is to compare the predicted behavior of suspicious malicious code 43 with the actual behavior of the execution of suspicious malicious code. If both show the same behavior, proceed to step 26; otherwise, return to step 21. Malicious code analysis module 35 continues to observe the suspicious malicious code in system call order, system call argument and the state of the registers (actual behavior) to determine whether it matches the system call order, system call argument and the state of registers (predicted behavior) in predicted behavior table 41.
Step 26 is to issue a warning of intrusion. When the actual behavior of a suspicious malicious code matches the predicted behavior of a malicious code, malicious code analysis module 35 issues a warning of intrusion to the host so that the host can take necessary protective actions to prevent further damages.
As aforementioned, system call monitor module 32 must be pre-installed on each host that requires the detection. On the other hand, malicious code analysis module 35 can be categorized, based on the installation, into three different structures: host, network and embedded system.
As shown in
It is worth noticing that extraction unit 701, execution unit 702, and comparison unit 703 in
The present invention uses a malicious code analysis module to execute suspicious malicious code and compares the behavior of the execution with a predicted behavior of a malicious code to determine whether an intrusion is detected. The present invention does not rely on signature of attacks commonly used in conventional IDS; therefore, the present invention is not required to maintain a large signature database. In addition, the present invention provides a high correct detection rate, low incorrect ruling, and is able to detect both known and unknown attacks.
Although the present invention has been described with reference to the preferred embodiments, it will be understood that the invention is not limited to the details described thereof. Various substitutions and modifications have been suggested in the foregoing description, and others will occur to those of ordinary skill in the art. Therefore, all such substitutions and modifications are intended to be embraced within the scope of the invention as defined in the appended claims.
|Cited Patent||Filing date||Publication date||Applicant||Title|
|US4001819||Jan 31, 1975||Jan 4, 1977||Wise Security Corporation||Alarm system for combined hazard detections|
|US5163088||Mar 6, 1991||Nov 10, 1992||Locascio Peter||Facsimile security system|
|US5359659||Jun 19, 1992||Oct 25, 1994||Doren Rosenthal||Method for securing software against corruption by computer viruses|
|US5398196 *||Jul 29, 1993||Mar 14, 1995||Chambers; David A.||Method and apparatus for detection of computer viruses|
|US5414833||Oct 27, 1993||May 9, 1995||International Business Machines Corporation||Network security system and method using a parallel finite state machine adaptive active monitor and responder|
|US5684875||Oct 21, 1994||Nov 4, 1997||Ellenberger; Hans||Method and apparatus for detecting a computer virus on a computer|
|US5940002||Oct 10, 1997||Aug 17, 1999||Ut Automotive Dearborn, Inc.||Security system with random number remote communication|
|US5960177||Mar 12, 1996||Sep 28, 1999||Fujitsu Limited||System for performing remote operation between firewall-equipped networks or devices|
|US6108799 *||Mar 12, 1998||Aug 22, 2000||International Business Machines Corporation||Automated sample creation of polymorphic and non-polymorphic marcro viruses|
|US6205115||Sep 9, 1998||Mar 20, 2001||Tdk Corporation||Disc cartridge|
|US6237036||Dec 21, 1998||May 22, 2001||Fujitsu Limited||Method and device for generating access-control lists|
|US6594780||Oct 19, 1999||Jul 15, 2003||Inasoft, Inc.||Operating system and data protection|
|US6732279||Jan 16, 2003||May 4, 2004||Terry George Hoffman||Anti-virus protection system and method|
|US6757822||May 31, 2000||Jun 29, 2004||Networks Associates Technology, Inc.||System, method and computer program product for secure communications using a security service provider manager|
|US6775780 *||Mar 16, 2000||Aug 10, 2004||Networks Associates Technology, Inc.||Detecting malicious software by analyzing patterns of system calls generated during emulation|
|US6779117||Jul 23, 1999||Aug 17, 2004||Cybersoft, Inc.||Authentication program for a computer operating system|
|US7093239 *||Aug 18, 2000||Aug 15, 2006||Internet Security Systems, Inc.||Computer immune system and method for detecting unwanted code in a computer system|
|US7181768 *||Oct 30, 2000||Feb 20, 2007||Cigital||Computer intrusion detection system and method based on application monitoring|
|US7225204 *||Mar 19, 2002||May 29, 2007||Network Appliance, Inc.||System and method for asynchronous mirroring of snapshots at a destination using a purgatory directory and inode mapping|
|US7370360 *||May 13, 2002||May 6, 2008||International Business Machines Corporation||Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine|
|US20050193428 *||Jun 17, 2004||Sep 1, 2005||Ring Sandra E.||Method, system, and computer-readable medium for recovering from an operating system exploit|
|US20060031673 *||Nov 23, 2004||Feb 9, 2006||Microsoft Corporation||Method and system for detecting infection of an operating system|
|TW477140B||Title not available|
|TW574655B||Title not available|
|1||*||"Fork (operating system)"-Wikipedia, the free encyclopedia; Feb. 27, 2005; pp. 1-3; "http://en.wikipedia.org/w/index.php?title=Fork-(operating-system)&oldid=10609259".|
|2||*||"YoLinux Tutorial: Fork, Exec and Process control"; copyright 2004, 2005 by Greg Ippolito; pp. 1-19; "http://www.yolinux.com/TUTORIALS/ForkExecProcesses.html".|
|3||*||"Fork (operating system)"—Wikipedia, the free encyclopedia; Feb. 27, 2005; pp. 1-3; "http://en.wikipedia.org/w/index.php?title=Fork—(operating—system)&oldid=10609259".|
|Citing Patent||Filing date||Publication date||Applicant||Title|
|US8042186||Oct 18, 2011||Kaspersky Lab Zao||System and method for detection of complex malware|
|US8127276||Apr 3, 2007||Feb 28, 2012||Institute For Information Industry||Apparatus, method, and computer readable medium thereof for generating and utilizing a feature code to monitor a program|
|US8769373||Oct 5, 2010||Jul 1, 2014||Cleon L. Rogers, JR.||Method of identifying and protecting the integrity of a set of source data|
|US9294503||Aug 26, 2013||Mar 22, 2016||A10 Networks, Inc.||Health monitor based distributed denial of service attack mitigation|
|US9372989||Feb 13, 2014||Jun 21, 2016||Systems of Information Security 2012||Robust malware detector|
|US20080148226 *||Apr 3, 2007||Jun 19, 2008||Institute For Information Industry||Apparatus, method, and computer readable medium thereof for generating and utilizing a feature code to monitor a program|
|U.S. Classification||726/24, 726/23, 726/22, 726/25|
|Jun 26, 2005||AS||Assignment|
Owner name: INDUSTRIAL TECHNOLOGY RESEARCH INSTITUTE, TAIWAN
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:SONG, CHEN-HWA;HUANG, YING-YUAN;REEL/FRAME:016736/0773
Effective date: 20050617
Owner name: INDUSTRIAL TECHNOLOGY RESEARCH INSTITUTE,TAIWAN
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:SONG, CHEN-HWA;HUANG, YING-YUAN;REEL/FRAME:016736/0773
Effective date: 20050617
|Apr 1, 2011||AS||Assignment|
Owner name: A10 NETWORKS, INC.-TAIWAN, TAIWAN
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:INDUSTRIAL TECHNOLOGY RESEARCH INSTITUTE;REEL/FRAME:026062/0698
Effective date: 20110318
|May 17, 2011||AS||Assignment|
Owner name: A10 NETWORKS, INC., CALIFORNIA
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:A10 NETWORKS, INC.-TAIWAN;REEL/FRAME:026291/0488
Effective date: 20110510
|Mar 14, 2013||FPAY||Fee payment|
Year of fee payment: 4
|Aug 22, 2013||AS||Assignment|
Owner name: A10 NETWORKS, INC., CALIFORNIA
Free format text: CHANGE OF ADDRESS;ASSIGNOR:A10 NETWORKS, INC.;REEL/FRAME:031075/0954
Effective date: 20130822
|Sep 30, 2013||AS||Assignment|
Owner name: ROYAL BANK OF CANADA, AS COLLATERAL AGENT, CANADA
Free format text: SECURITY INTEREST;ASSIGNOR:A10 NETWORKS, INC.;REEL/FRAME:031485/0284
Effective date: 20130930
|Oct 15, 2015||SULP||Surcharge for late payment|